But after removing the selection on »Monitor traffic only« and confirmig with Save, it would take a veeery long time applying and finally end up with this:
Your hardware only has 1GB of memory. The IPS is a memory consuming process and especially at startup. The IPFire recommendation is for a minimum of 1GB but to increase this if addons are used and especially memory intensive processes like IPS, Web Proxy and URL filter.
On your memory page (under menu status) what does the table at the bottom show for how much swap has been used. Does your swap graph show any colour except Green and what does the RAM line say for % at the right hand side.
I also notice that your hardware is 32bit. In June last year it was announced that support for the 32bit architecture will be discontinued. It is marked as Legacy in the download page so still downloadable but end of life is scheduled for end of 2021.
For the records: Your observations are right.
But if I read the pictures right, there may be a problem in the WUI/IPS control code.
It would be nice, if the thread opener could document the issue a bit more and post a topic to bugzilla.
As we know, just small systems show up the problems in code.
Having a very small system, I didn’t ( and can’t) check this yet. Maybe an inspection of the code shows the reason of this issue.
The peak at Friday night is the time, when I activated it.
This morning, after I posted the thread, I changed the ruleset provider to Snort, afterwards the page looked normal.
Then I changed it back to Emergingthreats Comm. rules, did the same thing as yesterday night and it worked. I’ll try to reproduce the failure later and see, if it happens again.
But now I've got another question again:
On the »IPS Logs« page there is nothing:
I just started using IPS a week or so back, with just Snort Community Rules and I have found the same thing with my Logs, they are completely empty. I intend to change to some other rules and see if it was my choice of ruleset that was not appropriate.
If no rules have been activated and you want to ensure the IPS is working, enable an IP blocklist
(like the ET dshield.rules) for an hour.
Most internet connected systems should see at least one rule activated in that time.
I will give that a try tomorrow.
So I selected the ET dshield rules this morning and within a few minutes I had 6 entries in the logs. Proves the system is working as it should.
So if I am not getting any hits then either no intrusion is being tried on my system or the rules selected are not appropriate for the threats that are appropriate for my network.
As it says in the wiki, the IPS is not a set and forget system. I will go back and read the IPS wiki more thoroughly.